Robust security program for ongoing protection

Tumelo is security conscious and committed to continually reviewing and improving our controls and programs to ensure we're always delivering a trustworthy service. 

Encryption at rest & in transit icon
Encryption at rest & in transit

Data is kept secure both in transit and at rest. TLS 1.2 or higher is used and AES-256 for at-rest encryption.

Secure development practices
Secure development practices

All code is peer reviewed prior to release, with both manual and automated checks in place for security issues.

Monitoring and alerting
Monitoring and alerting

Our threat detection, logging and alerting systems notify response teams of any potential incidents.

Least privilege
Least privilege

We follow a least-privilege model, only granting higher privilege access to those with a genuine business need. We review all access on a quarterly basis.

Penetration testing
Penetration testing

We conduct external penetration testing at least once a year. All assessments are performed by trusted third-party experts.

Risk management
Risk management

An internal risk-management program is operated to identify, evaluate and remediate risk across the business.

Internal audit
Internal audit

Our internal-audit program continually reviews the effectiveness of the security program and its current controls.

Personnel security
Personnel security

All Tumelo team members undergo a security check upon joining the company. Security awareness training is ongoing via regular workshops and in-person sessions throughout the year.

Physical security
Physical security

To protect your data, we house it in secure data centers that maintain multiple compliance certifications and attestations, including SOC2, ISO27001, and C5. You can verify our ISO certificate by visiting the British Assessment Bureau.

Certification badge for ISO 27001 comprising of the British Assessment Bureau logo and UKAS Management System logo.

Trust centre  

You can review and request due diligence documentation from our Trust Centre: trust.tumelo.com 

Responsible disclosure  

Tumelo is committed to protecting our users and their data. We believe the contributions of the independent security research community is invaluable and welcome reports of potential issues. 

If you believe you have discovered a vulnerability, you can send details to  

Report to us the following:  

  • A description of the vulnerability, precisely where it was discovered, and the real-world impact

  • Details of the steps needed to reproduce the vulnerability (POCs, screenshots, and videos are helpful). 

  • Please don’t report automated scanner results without proof of exploitability.